Chapter IV –Security Control and Management of Mobile Devices |
| Article 15 | (Definition of mobile devices)
- Mobile device: A portable device with the functions of computing, processing and storing data, and online connection, including but not limited to smart phones, laptop computers, tablets and PDAs.
- Bring Your Own Device (BYOD): A non-organizational portable mobile device used for handling organizational affairs that directly connects to the organization’s network equipment or services, with the functions of computing, processing and storing data, and online connection.
|
|
| Article 16 | (Scope of application of directions on mobile devices)
For purposes of these directions, a mobile device is limited to a mobile device used for handling sensitive affairs defined within the organization that can directly connect to the organization’s network equipment and services.
|
|
| Article 17 | (Control and management of mobile device and equipment for business use)
- An organization shall establish the regulations for application for, use, renewal, return and loss of a mobile device.
- When there is a change in the staff of the organization, a mobile device should be reset or the settings should be cleared to ensure the mobile device has a secure environment.
- An organization shall conduct risk assessments on mobile devices and resources accessible to the mobile devices, and implement appropriate security control and management measures based on the results of the risk assessments, such as screen lock, restrictions on accessing sensitive information, installation of antivirus software programs, installation of mobile device management software, etc.
- An organization is advised to take the following security control and management measures on mobile devices storing sensitive information:
- It is advisable a mobile device has an identity verificationmechanism.
- It is advisable to allow an authorized party to change the settings of theenvironment of the operating system of a mobile device.
- It is advisable to conduct regular examinations of the operating system and antivirus software programs of the mobile device and to prevent the owner from making unauthorized changes to the settings, such as jailbreaking or rooting.
- It is advisable for a mobile device to have a method for data deletion when the device is lost, e.g. deleting data remotely, or automatic deletion of data after a certain number of failed identification verifications have taken place.
- It is advisable a mobile device imposes restrictions on or turns off unnecessary wireless connection, such as NFC, infrared, Wi-Fi or Bluetooth.
- It is advisable a mobile device adopts an encryption or data redaction method for protection of transmission of sensitive information.
- It is advisable a mobile device prevents storing of sensitive information on the mobile device, or encrypts sensitive information for protection.
- A mobile device used to handle an organization’s business should avoid installation of an unofficial mobile application or should install only the installable mobile applications that have passed testing as listed by the organization.
|
|
| Article 18 | (Management of BYOD)
- Anorganization shall periodically review and restrict the purpose and period of use of the BYOD and type of data used on the BYOD.
- An organization shall sign the agreement of use of Bring Your Own Device (BYOD) with the owner of the BYOD, including the terms and conditions on use restrictions and the liabilities of the parties etc.
- An organization is advised to prohibit unauthorized connections of the BYOD to the Internet via its internal information and communication equipment.
|
|
| Article 19 | (Security control and management of a mobile app)
- An organization shall take appropriate measures to deidentify information when sending sensitive information to a user via text message or other messaging method via its mobile app.
- An organization shall create the detection system to identify fake mobile apps to protect the rights and interests of its clients.
- When activating a mobile app, an organization shall alert users of its app of potential risks if it detects the user's mobile device may be compromised (such as rooting, jailbreaking and USB debugging).
|
|
| Article 20 | (Control and management of release of a mobile app)
- Before releasing its mobile app, an organization shallexamine to make sure the authorization required for the mobile app is adequate for the services to be provided. First release or changes to authorization should be approved by the information security and compliance departments and records should be kept to help a comprehensive evaluation to determine whether the notification obligations under the Personal Data Protection Act have been performed.
- An organization shall release its mobile app on a reliable app store or website and shall at the same time of the release provide information about what sensitive information may be accessed, resources of mobile device and declared authorization and use.
- For a mobile app to be used by investors, an organization shall, prior to the first release and on a yearly basis, appoint a qualified third-party testing laboratory certified by Taiwan Accreditation Foundation (TAF) to conduct and complete the information security testing with a satisfied test result. The test should be performed in consistent with the basic mobile app information security tests published by the implementing organization Mobile Application Security Alliance, appointed by the Industrial Development Bureau, Ministry of Economic Affairs.
- When updates on the released app are necessary within one year after the laboratory test, the organization shall perform the test or appoint a third party to perform the test on important updates prior to every release. Important updates are changes to the functions relating to “placing orders”, “accessing account information”, “identity verification” and “changes relating to client’s important rights and interest”. The tests should be based on OWASP MOBILE TOP 10 and the relating test records should be kept.
- The organization shall establish the review system based on the basic mobile app information security testspublished by the implementing organization Mobile Application Security Alliance, appointed by the Industrial Development Bureau, Ministry of Economic Affairs, for the test reports delivered by the third-party laboratory to ensure the tests have been conducted in accordance with the requirements, and the review records should be kept.
|
|